docs(README): tone down secureblue credit (no code lifted yet)
We layer on their OCI image as v0.7 base; we don't redistribute their source. Drop the AGPLv3-attribution prose — that becomes relevant only if/when we ship a verbatim chunk of their config/policy in our repo. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
claude-veilor-bot
s8n-ru
parent
dac69f2edc
commit
eb840880b4
1 changed files with 14 additions and 23 deletions
37
README.md
37
README.md
|
|
@ -142,31 +142,22 @@ veilor-os is **not** trying to compete with Whonix-style anonymity or
|
|||
Qubes-style isolation. It is a **hardened daily-driver desktop** — fast,
|
||||
clean, locked down, with no manual post-install hardening required.
|
||||
|
||||
### Credit & relationship to secureblue
|
||||
### Relationship to secureblue
|
||||
|
||||
[secureblue](https://github.com/secureblue/secureblue) (AGPLv3) is an
|
||||
upstream hardened atomic Fedora build that already solves a long list
|
||||
of problems we'd otherwise reinvent: Trivalent (hardened Chromium),
|
||||
custom SELinux policy, sysctl hardening, `module.sig_enforce=1`,
|
||||
USBGuard defaults, libpam-pwquality config, kernel cmdline hardening,
|
||||
and a full BlueBuild OCI pipeline with cosign-signed releases. The v0.7
|
||||
veilor-os spike layers on top of secureblue's
|
||||
`securecore-kinoite-hardened-userns` image rather than re-deriving the
|
||||
same hardening from scratch.
|
||||
[secureblue](https://github.com/secureblue/secureblue) is an upstream
|
||||
hardened atomic Fedora project we benchmark against and plan to **build
|
||||
on top of** at v0.7. The v0.7 BlueBuild spike uses their
|
||||
`securecore-kinoite-hardened-userns` OCI image as its base — we don't
|
||||
ship their source code in this repo, we layer veilor branding,
|
||||
theming, the gum installer, and the kickstart bootstrap on top of
|
||||
their already-signed image.
|
||||
|
||||
Where veilor-os differs is the path, not the destination: a
|
||||
kickstart-installed flat install for v0.5.x (operator-friendly LUKS
|
||||
flow, single-prompt install), a hybrid kickstart-bootstrap +
|
||||
secureblue-OCI image at v0.7, and a fully OCI/`bootc upgrade` path at
|
||||
v1.0. Branding, theming, the gum installer, the 3-mode power CLI, and
|
||||
the Forgejo-hosted CI/release plumbing are veilor's own work.
|
||||
|
||||
If a chunk of secureblue code, config, or policy ends up in veilor-os
|
||||
verbatim or near-verbatim, the file carries an upstream-attribution
|
||||
header and the LICENSE file in this repo records the AGPLv3 obligation
|
||||
on those files. Anything we ship under MIT is original to this repo.
|
||||
Thanks to the secureblue maintainers — without their public work the
|
||||
v0.7 path would be a year of duplicate effort.
|
||||
Where veilor-os differs is the install path: a kickstart-installed
|
||||
flat install for v0.5.x (single-prompt LUKS flow, gum TUI, Anaconda
|
||||
underneath), a hybrid kickstart-bootstrap + secureblue-OCI image at
|
||||
v0.7, and a fully OCI / `bootc upgrade` path at v1.0. Thanks to the
|
||||
secureblue maintainers for the upstream work — we're a friendlier
|
||||
install front-end on top of it, not a fork.
|
||||
|
||||
---
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue